Your gateway to all our best protection. Access our best apps, features and technologies under just one account. Get antivirus, anti-ransomware, privacy tools, data leak detection, home Wi-Fi monitoring and more.

These now-familiar square images you see in ads, magazines and posters have proved to be the easiest and cheapest way to link the real and the virtual worlds. All you have to do is take a picture of a QR code with your smartphone camera and you can follow a link to information on a website, save a contact’s telephone number or download an application. Marketing specialists love the technology for its sheer simplicity, but so do cybercriminals. Therefore, you need to be very careful when pointing your device’s camera at a QR code.

A QR code (QR being short for quick response) can contain all sorts of text information and/or links to online resources. QR codes have been popular for quite some time in Asia, and are now gaining popularity in Europe and the Americas. They can be seen everywhere: on billboards, goods exhibited in stores, on websites, various types of tickets and coupons…the list goes on and on. At the same time, scams involving QR codes are also gaining in popularity. There are many cases of malicious QR codes being neatly placed over legitimate ones. This practice, with similarities to phishing, has come to be known as QRishing.

It doesn’t take much stretch of the imagination to see just how dangerous a QR code could be when displayed in a public place: in the subway, at an airport, a train station, or in a bank, for instance on an ATM. Most people will implicitly trust adverts, and would never imagine such a threat could be lurking in the building of a major bank.

When a user takes a photo of a QR code, the link it stores is first displayed on the device’s screen; however, cybercriminals also use URL shortening services (such as bit.ly and others) to disguise the ultimate address stored in the QR code which may lead to a page with malware that steals the user’s credentials or to a phishing site.

There are many cases of malicious QR codes being neatly placed over legitimate ones. This practice, with similarities to phishing, has come to be known as QRishing.

To reduce this type of threat, follow three simple recommendations:

Be careful. Before scanning a QR code, make sure it is not covering another code. If in doubt, do no scan.

After opening an app store or a website in your browser, make sure that the QR code has taken you to the place you expected to go. If you are about to install an application, make sure it was developed by the company whose ad or info you saw. Check to see the application’s rating and/or customer feedback. If there are very few or none at all, it’s best to postpone the installation. If a code leads to a website, check the complete URL; otherwise, you may fall victim to a phishing scam. Extra caution is advised before entering your personal data or credentials, including email or e-banking data.

If your smartphone allows the installation of security applications that check sites for malicious content and downloaded software for malware, make sure you install such an application. This is especially appropriate for Android smartphones, which are now targeted by thousands of malware programs.

As of end of January, 2015, there is a new and convenient way to avoid malicious links in QR codes – the Kaspersky QR Scanner app. The application, designed both for iOS and Android devices, offers a powerful bundle of scanning and security features.

It functions just as many other QR scanning tools, but employs a smart enhancement: it instantly checks all the links detected in the QR code and notifies the user should there be any threat before redirecting him to the web link.

Share article

Related

Last week, Kaspersky Lab’s student conference “Cybersecurity for the Next Generation” in Ecuador came to its conclusion. The program committee chose the three best papers from six presentations, with a

Sign up to receive our headlines in your inbox

*

*

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.